Performance

Managers quickly look towards performance management when metrics become available.

However, an available method to quantify risks may not translate well for measuring individual or organizational performance. Trouble awaits for those who assign incentives (bonuses, promotions, etc) for directionally favorable changes in risk measurements, especially ones that rely on expert elicitation.

Key Results (OKR) and KPIs are still valuable leadership tools that assume values (in this case, a risk measurement) may correlate with some notion of success. While these approaches have leadership value, there are rough edges.Metrics based management is especially dangerous with risk metrics.

Here is a strawman example:

Our goal is to lower the probability and impact of a disclosable SEV0 incident.

While a management direction towards reducing this risk may be healthy, it may not be healthy when used as a tool for directly measuring performance.

KPIs are subject to organizational toxicity whether they are objectively measurable or subjectively approximated through expert elicitation.

An organization should avoid "risk" being valued as the individual performance measure.

Instead, a performance management focus on the completion of activities that measure, discover, and mitigate risk is more attractive for performance assessment. These contributions should be viewed independently of the risk measure. In other words, let the scoreboard handle itself.